A moment of reckoning for student privacy

Concerns are ratcheting up within the U.S. education system about how edtech companies are collecting and using student data. 32 states this year have more than 80 bills up for discussion regarding how educational data should be handled.

Here’s a rundown of the developments of the last few months.

First, in December there was the scathing, widely disseminated study that condemned school districts for ignoring privacy issues when adopting new cloud technologies. TheFordham Law School's Center on Law and Information Policy conducted the review by surveying 54 public school districts around the country, asking them questions about their policies, parent consent procedures, and edtech contracts. The study concluded “Cloud services are poorly understood, non-transparent, and weakly governed.”

Then in February the US Department of Education released its guidelines for how schools should protect students information in this era of edtech and big data. The guidelines were just that -- recommendations instead of law. One such offering: “Maintain awareness of relevant federal, state, tribal, or local laws.” Bear in mind, that’s just the government’s helpful suggestion. The other option is, I suppose, to ignore and flout all laws.

As you might imagine, privacy advocates were less than pleased. The Software & Information Industry Association on the other hand, commended it, saying that “the guidance makes clear that all parties – technology providers, schools, students and the government – are working toward the same important goals.”

The privacy issues continued through the spring. In March, a Google spokesperson admitted to a reporter that the company “scans and indexes” the student emails it processes through its Apps for Education suite. The issue came up as part of a federal lawsuit Google is facing regarding what it does with consumer data collected through Gmail. Two of the nine plaintiffs were students, required to use Gmail through their schools’ education apps program.

And now, Education Week has commissioned and published an independent review of the data mining policies of three big education companies: Edmodo, Khan Academy, and Pearson. The review found that Khan Academy’s privacy policy was severely lacking, and offered up student data to practically any third party for the taking. Edmodo had a stronger privacy policy, with guarantees that student data is not leased or sold to any third parties, but the review was concerned with how how metadata — like student IP addresses — was handled. Pearson was found to be A-OK, largely because the data it collects is owned by the schools, not by Pearson.

These developments show that the more schools — and states — start worrying about how student data is being handled, the bigger impact it will have on any companies seeking to get into the classroom. Privacy is now a realm where fast growing startups need to invest effort in understanding local, state, and federal legal requirements, in developing transparent policy explanations, and in nailing down how data collection will and won't work. Such efforts may now determine whether or not your product makes it into a district.

It’s also a turning point for education technology in general. Until now, the consumer Internet, where people have largely given up their privacy in exchange for free services and unlimited storage, has translated to the education sector. The regulations that would hypothetically protect that from happening haven't proved strong or clear enough.

Schools, short on cash, have been thrilled to be able to use highly functional, useful education technology like Google Apps for free. Until now, they’ve kept their eyes shut about potential consequences.

But that period of blissful ignorance is passing, and educators, parents and advocates are starting to demand stronger protections for students.